feat: Use SSM to pass parameters between layers.

Author: jamesiarmes

tofu/config/foundation/main.tf

@@ -30,3 +30,15 @@ module "logging" {
 
   tags = resource.aws_servicecatalogappregistry_application.application.application_tag
 }
+
+module "outputs" {
+  source = "../../modules/outputs"
+
+  prefix = "/${var.project}/${var.environment}"
+
+  outputs = {
+    "application/arn" = aws_servicecatalogappregistry_application.application.arn
+    "logging/bucket"  = module.logging.bucket
+    "logging/key"     = module.logging.kms_key_arn
+  }
+}

tofu/config/foundation/outputs.tf

@@ -1,6 +1,6 @@
-output "application_tags" {
-  description = "The tags for the Service Catalog App Registry application."
-  value       = aws_servicecatalogappregistry_application.application.application_tag
+output "application_arn" {
+  description = "ARN of the Service Catalog App Registry application."
+  value       = aws_servicecatalogappregistry_application.application.arn
 }
 
 output "logging_bucket" {

tofu/config/networking/main.tf

@@ -7,19 +7,39 @@ terraform {
   }
 }
 
+module "inputs" {
+  source = "../../modules/inputs"
+
+  prefix = "/${var.project}/${var.environment}"
+
+  inputs = ["application/arn", "logging/key"]
+}
+
 # TODO: Air gap this VPC from the internet.
 module "vpc" {
   source = "github.com/codeforamerica/tofu-modules-aws-vpc?ref=1.1.2"
 
   project         = var.project
   environment     = var.environment
   cidr            = var.vpc_cidr
-  logging_key_id  = var.logging_key_arn
+  logging_key_id  = module.inputs.values["logging/key"]
   private_subnets = var.vpc_private_subnet_cidrs
 
   # TODO: We don't need public subnets or a NAT gateway for an air gapped VPC.
   public_subnets     = var.vpc_public_subnet_cidrs
   single_nat_gateway = true
 
-  tags = var.tags
+  tags = merge({ awsApplication : module.inputs.values["application/arn"] }, var.tags)
+}
+
+module "outputs" {
+  source = "../../modules/outputs"
+
+  prefix = "/${var.project}/${var.environment}"
+
+  outputs = {
+    "vpc/id"              = module.vpc.vpc_id
+    "vpc/private_subnets" = join(",", module.vpc.private_subnets)
+    "vpc/public_subnets"  = join(",", module.vpc.public_subnets)
+  }
 }

tofu/config/networking/variables.tf

@@ -4,11 +4,6 @@ variable "environment" {
   default     = "development"
 }
 
-variable "logging_key_arn" {
-  type        = string
-  description = "The ARN of the KMS key for logging."
-}
-
 variable "program" {
   type        = string
   description = "Program the application belongs to."

tofu/config/service/main.tf

@@ -7,15 +7,23 @@ terraform {
   }
 }
 
+module "inputs" {
+  source = "../../modules/inputs"
+
+  prefix = "/${var.project}/${var.environment}"
+
+  inputs = ["application/arn", "logging/bucket", "vpc/id", "vpc/private_subnets"]
+}
+
 module "system" {
   source = "../../modules/system"
 
   environment         = var.environment
   project             = var.project
   export_expiration   = var.export_expiration
   key_recovery_period = var.key_recovery_period
-  logging_bucket      = var.logging_bucket
-  vpc_id              = var.vpc_id
-  database_subnets    = var.database_subnet_ids
-  tags                = var.tags
+  logging_bucket      = module.inputs.values["logging/bucket"]
+  vpc_id              = module.inputs.values["vpc/id"]
+  database_subnets    = split(",", module.inputs.values["vpc/private_subnets"])
+  tags                = merge({ awsApplication : module.inputs.values["application/arn"] }, var.tags)
 }

tofu/config/service/variables.tf

@@ -21,11 +21,6 @@ variable "key_recovery_period" {
   }
 }
 
-variable "logging_bucket" {
-  type        = string
-  description = "The name of the S3 bucket for logging."
-}
-
 variable "program" {
   type        = string
   description = "Program the application belongs to."
@@ -49,18 +44,3 @@ variable "tags" {
   description = "Tags to apply to all resources."
   default     = {}
 }
-
-variable "vpc_id" {
-  type        = string
-  description = "ID of the VPC to deploy resources into."
-}
-
-variable "database_subnet_ids" {
-  type        = list(string)
-  description = "The IDs of the subnets to use for the database."
-}
-
-variable "container_subnet_ids" {
-  type        = list(string)
-  description = "The IDs of the subnets to use for container resources."
-}

tofu/modules/inputs/main.tf

@@ -0,0 +1,5 @@
+data "aws_ssm_parameter" "this" {
+  for_each = toset(var.inputs)
+
+  name = join("/", compact([var.prefix, each.value]))
+}

tofu/modules/inputs/outputs.tf

@@ -0,0 +1,4 @@
+output "values" {
+  description = "Map of input names to their values."
+  value       = { for k, v in data.aws_ssm_parameter.this : k => v.insecure_value }
+}

tofu/modules/inputs/variables.tf

@@ -0,0 +1,11 @@
+variable "inputs" {
+  type        = list(string)
+  description = "Inputs to be read from SSM Parameter Store."
+  default     = []
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to prepend to all input names."
+  default     = null
+}

tofu/modules/inputs/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.9"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}